Viewing Events, Alarms and Audit Trail Records

Events and alarms are captured in real time, and are accessed in the Events & Alarms menu, under the Monitoring sub-menu. The Events window includes all events in the system. Alarms are critical or important events. Audit trails are events initiated by users.

Step 3 Select a record and click View... to open the detail window (Figure 10-2). You can also double-click the record.

Figure 10-2 Events Module Detail Window

Step 4 Review the properties and actions for the record. See Table 10-1 for field descriptions.

Note Event fields available vary depending on the type of event. The following example is for a door event.

Table 10-1 Event Properties

Field

Description

Time

The time and date when the event occurred.

Time received

The time the event was received and stored in the database. If the event was processed by an external device such as a Gateway, this may differ from the time, depending on delays or interruptions in communications between the host and the device.

Site

A site is a single instance of a Cisco PAM database.

Type

The type of event. The types of events are:

•Event: A general occurrence within the system, often from external hardware such as a Gateway.

•Edit...: Revise the credential watch level associated with the badge.

Personnel Record

If a personnel record is associated with the event, this field displays the person's name.

•Edit...: Edit the personnel record associated with the event.

•View Photo...: Displays the associated personnel record photo, if any.

Data

This field displays detailed information about the event, the exact value and meaning of which depends on the type of event. This field is generally for advanced or troubleshooting use. If the event is associated with an attempt to gain access to an access point using a badge that is not in the database, then this field contains the card number.

Target device

The device associated with the event. For example, the device where a command was executed.

•Edit: modify the device settings.

camera

The camera associated with the device.

•Live Video: opens the video player to view live video from the camera associated with the device.

Alarm Properties

An alarm has the following properties, available in the table view or the detail window:

Table 10-3 Alarm Properties

Field

Description

Time

The date and time when the alarm occurred.

Time Received

The time the alarm was received and stored in the database. If the event was processed by an external device such as a Gateway, this may differ from the time, depending on delays or interruptions in communications between the host and the device.

•Edit...: Revise the credential watch level associated with the badge.

Address

The address of the device.

Personnel Record

If a personnel record is associated with the alarm, this field displays the person's name.

•Edit...: Edit the personnel record associated with the event.

•View Photo...: Displays the associated personnel record photo, if any.

Data

This field displays detailed information about the event, the exact value and meaning of which depends on the type of event. This field is generally for advanced or troubleshooting use. If the event is associated with an attempt to gain access to an access point using a badge that is not in the database, this field contains the card number.

Count

The number of times this alarm has occurred, including duplicates. Duplicate alarms have all attributes the same except time).

Viewing Audit Trail Records

Audit trail records are events caused when an operator modifies a record, such as a badge or personnel record. Audit trail records include the user who performed the action, the date, time, and the state of the object before and after the edit. To view audit trail records, do the following:

Step 1 Select Audit Trail from the Reports menu. The main window (Figure 10-5) shows the most recent audit records.

Figure 10-5 Audit Trail Main Window

Step 2 Modify the list of records using the following toolbar controls:

•Scroll Lock: Disable or enable automatic scrolling of the list as new audit records are inserted.

Step 3 Select a record and click View... to open the detail window (Figure 10-6). You can also double-click the record.

Step 4 Review the properties and actions for the record. See Table 10-4 for field descriptions.

Figure 10-6 Audit Trail Detail Window

Table 10-4 Audit Trail Event Properties

Field

Description

Time received

The time the event was received and stored in the database. If the event was processed by an external device such as a Gateway, this may differ from the time, depending on delays or interruptions in communications between the host and the device.

Site

A site is a single instance of a Cisco PAM database.

Type

The type of event. The types of events are:

•Event: A general occurrence within the system, often from external hardware such as a Gateway.

•Edit...: Revise the credential watch level associated with the badge.

Personnel Record

If a personnel record is associated with the event, this field displays the person's name.

•Edit...: Edit the personnel record associated with the event.

•View Photo...: Displays the associated personnel record photo, if any.

Data

This field displays detailed information about the event, the exact value and meaning of which depends on the type of event. This field is generally for advanced or troubleshooting use. If the event is associated with an attempt to gain access to an access point using a badge that is not in the database, then this field contains the card number.

Modified Record

The item changed by the user.

•View Current...: Opens a detail window of the modified record, as it exists currently.

•View Before...: Opens a detail window of the modified record, as it existed before the modification.

•View After...: Opens a detail window of the modified record, as it existed after the modification.

Viewing Recent Events for a Device, Driver, or Location

To view a list of recent events for a device or driver, do the following:

Adding a Color Border to Event Photos (Credential Watch)

Credential watch allows you to display event photos with a colored border to provide additional information regarding the status of the badge holder.

For example, if a guard uses Event Photos to view photos of the people accessing a door, a colored border can visually signify if the user is a contractor, visitor, etc..

The default credential watch levels are:

•Low: a yellow border around the photo.

•Medium: an orange border around the photo.

•High: a red border around the photo.

You can modify these definitions, or create custom watch levels. For example, if the badge holder has been employed less than one year, an ORANGE border may appear around the photo. If the badge holder is a contractor, a RED border may appear around the photo.

To configure Credential Watch, do the following:

To do this

Use this display

Step 1

Enable Credential Watch Levels menu:

a. Select System Configuration from the Admin menu.

b. Select the Miscellaneous tab.

c. Select the Enable credential watch levels check-box.

d. Click Save.

e. Log out and log back in to Cisco PAM to activate the changes (select Log Out from the Options menu).

d. Enter the order number of the level to define the hierarchy of the levels. For example, enter 0 to display the new level at the top of the list. This can also define the relative importance or severity of the levels.

e. Click Choose to select a border color for the photos when using Event Photos.

f. Click Save and Close.

Step 4

Add the credential watch level to a badge configuration:

a. Select Badges from the Admin module.

b. Click Add or select an existing badge and click Edit.

c. Select the General tab.

d. Select the Watch Level from the drop-down menu. For example, New Employee.

Step 5

Open the Event Photos module: select Event Photos from the Events & Alarms menu, in the Monitoring sub-menu.

Step 6

Present the badge to the door card reader to display the associated badge photo in Event Photos. In this example, a dark blue border is displayed and the watch level is "New Employee".

Note The screen appears blank (without fields or data) until a photo event is available for display.

Using Filters to Limit the Photos and Doors Events Displayed by Event Photos

By default, Event Photos displays the photos and events for any badge presented to any door on the system. Use the Filter to display only events for a specific door or set of doors. For example, the guard at the front entrance should only see the event photos for badges presented at that particular door.

In addition, the photo associated with a badge is shown two times by default: one time when the credential is read, and one time for the Grant Access event. Use Filters to only display the photo once.

Complete the following instructions to limit the doors and photos displayed by Event Photos:

Step 1 To select specific doors to display event information:

a. Select EditFilter from the Filters toolbar menu.

b. In the filter window, select the Device tab, and then select the Choose button(Figure 10-10).

c. Select the doors or devices that will display events in Event Photos.

d. Click OK to close the Choose Devices window.

e. Click OK to close the Filter window and save the changes.

Figure 10-10 Filter Device Window

Step 2 To display the photo once for each badge presentation:

a. In the filter window, select the General tab, and then select the Choose button in the Log Code field (Figure 10-11).

Figure 10-11 Filter Log Code

b. Select the events to be displayed in Event Photos, as shown in Figure 10-12. For example, select Door Grant Access.

Figure 10-12 Select the Log Code

c. Click OK to close the windows and save the changes.

Recording External Events

External applications can record events in Cisco PAM using the recordExtEvent API. Once recorded, the events are displayed in the Events & Alarms Monitoring modules.

External Event Types are defined using the Event Definition Format and imported using the steps described in the following sections.

4. Add external events and alarms to Cisco PAM using the recordExtEvent API, as described in the Cisco Physical Access Control API Reference Guide.

Define External Event Types Using the Event Definition Format

Use the Event Definition Format to create an XML file that defines the event and alarm codes used to add external events to Cisco PAM. This file also defines the category for the events and is imported into Cisco PAM to create the codes.

Example

In the following XML example:

•The concatenation rule is: AE.<logcode_prefix>_<logcode>

•Event category: AE.Cisco_VSM

•The log codes for the category are: AE.VS_VSM_Sample1 and AE.VS_VSM_Sample2

<appext_eventdefns

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<appext_entry appname="Cisco_VSM" logcode_prefix="VS">

<ext_event_defn logcode="VSM_Sample1"

priority="10"

description="VSM Sample Event-1"/>

<ext_event_defn logcode="VSM_Sample2"

priority="10"

description="VSM Sample Event-2"

isAlarm="true"/>

</appext_entry>

</appext_eventdefns>

The file is saved with the .xml extension. For example: SampleExtEventDefns.xml.

Create a Text File to Define the Event Names in Cisco PAM

To define the log code names displayed in Cisco PAM, create a text file that defines a string name for each event and the event category.

In the following example, the string name for the two events and the event category are defined:

VS_VSM_Sample1=Sample Event-1

VS_VSM_Sample2=Sample Event-2

Cisco_VSM=Cisco Video Surveillance Manager

The file is saved with the .properties extension. For example: AppExtMessages.properties.

Import the Files into Cisco PAM

Once the XML and properties files are created, import the files into the Cisco PAM External Events module.

Viewing Workstation Activity

To view a summary of the users who access the system, select Workstations from the Events & Alarms menu, under the Monitoring sub-menu. The Workstations window (Figure 10-13) shows the most recent events in the access-control system.

Figure 10-13 Workstations Main Window

Tip To view additional details, such as the credentials and connected time, double click a user name.

Configuring Events and Alarms

This section includes instructions to customize the behaviour of system events. For example, you can treat an event as an alarm, suppress recording, set the event priority, define the sound played for an alarm, and other settings.

Note Event policies are executed only on the Cisco PAM server.

This section also includes instructions to limit the type of events seen by users, and configure the Alarms module to automatically open when an alarm occurs.

Modifying Default Event Policies

Each event or alarm record includes a log code that defines the event type and actions associated with the event. The built-in event policies define inherent system behavior, such as which events are also alarms, and which events are recorded to the database (all built-in events are recorded to the database by default). These built-in policies are based on the log code only: no other criteria are used to define the event trigger.

The default event policies should be changed only if you need to change an inherent event behavior. For example:

•Whether the event is an alarm or an event.

•Whether the event is saved to the database.

•The event priority.

•The sound played when the event is triggered.

•The color shown for the event in the event modules.

When custom events are required, we recommend creating a custom event policy, as described in the following section.

Configuring Custom Event Policies

Event policies can be configured to trigger events and alarms based on one or more conditions, such as the event type, the source device, device type, location, time of occurrence, or other factors.

•If an event policy includes more than one condition, all the conditions must match for the event to be triggered.

•If multiple events apply to an event occurrence, the most specific event policy is executed. Since only one event policy can be triggered for any event, only the most specific event is used. To determine the most specific event, the following criteria are applied in decreasing order (the criteria at the top of the list are given greater importance):

1. Log code

2. Log code category

3. Device instance

4. Device group

5. Partition

6. Hierarchical location (Building, Area, etc.)

7. Device type

8. Time schedule

9. Invert time schedule (That is, "Not in" time schedule)

Examples

•If one event policy is based on a log code (such as Door Forced Open) and a second event policy uses the same log code in combination with other criteria (such as Time schedule), then the second event policy is selected.

•If one event policy is based on a device type, and a second is based on a device instance, then the device instance event prevails since it is higher in the list of criteria.

•If two event policies are based on the same time schedule, but the first event defines During time schedule and the second event defines Not during time schedule, the first one event policy is used since During time schedule is higher in the list.

•If one event policy is based on a log code and a second policy is based on a collection of log codes and a location, all events in that location will use the second policy. Events from other locations will use the first policy.

If specified, the policy only applies to the device. Click Choose to select the device. Click Clear to remove the device. If no device is specified, the event applies to all devices.

Device Group

If specified, the policy only applies to the device group (for example: Door, Gateway, or Reader). Click Choose to select the group. Click Clear to remove the group. If no device group is specified, the event applies to all device groups. See also Configuring Device Groups, page 6-28.

Partition

If present, the policy only applies to this partition.

Classification

If present, the policy only applies to this classification.

Anti-passback area

If present, the policy only applies to this anti-passback area.

Anti-passback area (exit)

If present, the policy only applies to this anti-passback area exit.

Entrance

If present, the policy only applies to this entrance.

Zone

If present, the policy only applies to this zone.

Hierarchical location

If present, the policy only applies to the doors in this location.

Device type

If present, the policy only applies to devices of this type.

Time Schedule

Any time

Generate events at all times and dates.

During time schedule

Generate events only during the specified Time schedule.

Not during time schedule

Do not generate events during the specified Time schedule. Generate events at all times outside the specified Time schedule.

Specifies if events with this log code will be recorded as an alarm. Alarms are shown in the Alarms module.

Is Recorded

Specifies if events with this log code will be recorded to the database. If unchecked, there is no record of these events occurring. This should only be unchecked by advanced users under the advice of Cisco technical support.

Priority

A priority used for sorting events and alarms. Positive priorities are above normal priority, while negative priorities are below normal priority. Zero is normal.

Alert Sound

The sound to be played, if Is Alarm is checked. Available alert sounds are managed in Configuring Alert Sounds. Click Play to preview the alarm sound.

Background color

The color of the event entry. Click Choose to select a color. Click Clear to restore the default white background.

Foreground color

The color of the event text. Click Choose to select a color. Click Clear to restore the default black text.

Automatically Open the Alarm Window

To automatically open the alarm window when an alarm occurs, do the following:

Step 1 Select Profiles from the Users menu.

Step 2 Click Add, or select an existing profile and click Edit.

Step 3 Select the General tab, and the sub-menu Events/Alarms (Figure 10-16).

Step 3 (Add or Edit only) Enter a name for the schedule, as shown in Figure 10-18.

Figure 10-18 Time Schedule: Detail Window

Step 4 Select a Priority.

Step 5 Define the schedule times:

a. Click Add, or select an existing entry and click Edit or Delete.

b. (Add or Edit only), Specify the time interval for the schedule, as shown in Figure 10-18.

Figure 10-19 Time Schedule Interval

c. Enter the Start and End time in hour and minute format (hh:mm)

d. Select the Days of Week for the schedule.

e. Select additional Holidays for the schedule.

f. Click Save and Close.

g. Repeat step a to step f Define additional time intervals, if necessary.

Step 6 Click Save and Close to save the changes in the detail window (Figure 10-18).

Configuring Alert Sounds

Alert sounds play when an alarm occurs (if the alarm is configured with one of the available sounds). This section includes instructions to add or modify the available sounds. For instructions to assign the sounds to an alarm type, see Modifying Default Event Policies.

Step 2 The main window (Figure 10-20) shows the currently defined alert sounds.

•To modify an existing alert sound, select the entry and choose Edit... to open the detail window. You can also double-click the entry.

•To add a new alert sound, click Add... to open the detail window.

•Click Delete to delete the selected entry.

Figure 10-20 Alert Sound Module Main Window

Step 3 Edit a new or existing alert sound using the detail window (Figure 10-21):

Figure 10-21 Alert Sounds Module Detail Window

a. Click Import WAV File and select a sound file from a local drive. Click Play WAV File... to preview the alert sound.

b. Enter a name for the alert sound.

c. Click Save & Close.

Setting Event and Alarm Priorities

Priorities are used to sort or filter events and alarms. To define the priorities for an event or alarm log code, edit the Priority setting for the Log Code using the Event Policy Manager:

Step 1 Open the Event Policy Manager module in the Events & Alarms: Configuration menu. Edit an event policy by selecting it and clicking the Edit... button in the tool bar. This opens the Event Policy window (Figure 10-22).

Figure 10-22 Event Policy Window

Step 2 Use the Priority drop-down arrow to change the priority of the event or alarm. Positive priorities are above normal priority, and negative priorities are below normal. Zero is normal.

Step 5 Select or deselect the options for View, Create, Modify, or Delete.

Step 6 Click OK to save the changes.

Figure 10-23 Selecting Editable Fields in the Profiles Module

Using Graphic Maps

Graphic Maps provide a visual representation of the devices available in a location. Icons representing the devices provide real-time status and alarms information, and allow the user to trigger actions such as viewing live video or denying access to a door. Automated rules can also be invoked, and icons representing a location provide status and alarm summary for all the devices assigned to that location.

This section describes the map viewer, and the editor used to create the maps:

Graphic Maps Viewer

Figure 10-24 shows a sample map. In the top left frame, click + and - to expand and collapse the map folders and view associated devices. Right-click a device to view the actions and commands available for that device.

Figure 10-24 Graphic Maps Viewer Main Window

Icon Colors and Status

On the map, icons representing devices, automated rules, and locations provide status information using two colors: the inside fill color and the outside ring color.

Inside Fill Color

The inside color represents the device state.

•Light Green: Represents armed, secure, online states.

•Red: Represents unknown, active, offline states.

•Dark Blue: Represents disarmed, inactive states.

•Light Blue: Represents disarmed, active.

Outer Ring Color

The outer ring color represents the alarm state.

•Green: Represents a normally operating device free of any alarms.

•Orange: Represents a device in an acknowledged alarm or alarms state.

•Red: Represents a device in an alarm state.

Device Commands

Right-click an icon to view the available commands for that device. For example, you can view live video for a camera, or deny access for a door, depending on your access privileges.

Tip To trigger an automated rule, click the icon.

Layers and Views

Layers

Layers allow you to hide or display categories of icons, depending on the map configuration.

Click the Layers tab in the bottom left of the window, then right click the layer title and select Toggle Layer Visibility.

For example, turn the Doors layer off to hide the door icons. Toggle the layer on to display the icons.

Layers that contain one or more devices have a + sign to the left of the layer icon, allowing it to be expanded to show the associated devices.

Views

Click the Views tab to select the available views. For example, one view may display an entire floor plan, while another view displays only the reception area.

Toolbar and Navigation Controls

Use the following menu controls to select maps and adjust the map display.

Table 10-6 Toolbar and Navigation Controls

Control

Description

Back Arrow

Navigates backwards in the viewed maps history.

Forward Arrow

Navigates forward in the viewed maps history.

Up Arrow

Navigates to maps linked to the displayed map.

All Maps

Opens a menu containing all maps for easy navigation regardless of whether the sidebar is shown.

Layers

Displays all layers in the open map, and allows you to show and hide layers, regardless of whether the sidebar is shown.

Views

Displays a selected map view, regardless of whether the sidebar is shown.

Hide/Show Sidebar

Hides/Shows the Maps, Layers, and Views tabs in the sidebar.

Print

Prints the currently displayed map.

Zoom

The zoom tool is located in the upper right of the Graphic Maps Viewer. Use the drop-down arrow to select a zoom percentage, or type in custom zoom percentage number and press Enter. To cancel the zoom and reset the view, use the zoom tool drop-down and select Reset, or right-click the map and click Reset View.

Zoom Marquee

To zoom a map to a specific rectangular area; hold down the Control button, click and drag a rectangle on the map. Release the mouse button and the map will zoom to fit the rectangle. To scroll the map hold down the Shift button, click the map and drag to a desired location.

Graphic Map Editor

Use the Graphic Map Editor to create facility maps and add icons that represent doors, cameras, locations and automated rules. Once configured, the maps are viewed using the Graphic Map Viewer.

Caution Do not use the
Graphic Maps Editor while other client workstations have the
Graphic Maps Viewer or Graphic Maps Editor open. Use of the
Graphic Maps Editor while any other client workstations have the
Graphic Maps Viewer or Graphic Maps Editor opened may result in system errors.

To create or modify graphic maps, do the following:

To do this

Use this display

Step 1

Select Graphic Map Editor from the Admin menu.

Step 2

(Optional) Add a folder for map organization:

a. Click New Folder.

b. To rename the folder, right click the folder and select Folder Properties from the command menu.

Step 3

Create a new map:

a. Click New Map.

b. Select a background image from a local drive. Background images are typically floor or building layouts.

Tip You can also select options to create folders and maps by right-clicking a map folder.

Step 4

(Optional) Use the clip and zoom controls to adjust the image:

•Clip: use the Clip button to crop a map image. To clip a map, click the Clip button, click and drag a rectangle on the graphic map, and then click the Clip again to crop the map.

•Zoom: zoom in or out using the zoom tool in the upper right of the window. Click + or - to zoom in and out, select a zoom percentage, or enter the percentage in the box.

To cancel the zoom and reset the view, select Reset from the drop-down menu, or right-click the map and click Reset View.

•Zoom Marquee: to zoom a map using the zoom marquee feature, hold down the Control button, click and drag a rectangle on the map. Release the mouse button and the map will zoom to fit the rectangle.

Tip To move a map hold down the Shift button, click the map and drag to a desired location. Navigate between modifications by using the Undo and Redo buttons.

Step 5

(Optional) Right-click the map to access the following functions:

•Reset View: cancel a zoom view and return to 100%.

•Change Background: selects a new background image for the map.

•Edit Map Properties: defines the properties of the map, such as the icon scale.

Tip Click a Layer icon in the bottom left window to organize the map elements into different layers. For example, click a layer and add the devices, then click another layer and add locations or commands. You can turn layers on or off by right-clicking the layer and selecting
Toggle Layer Visibility. Select Edit Layer Properties to rename the layer. A green check indicates the active layer (the layer that new icons will be added to).

Step 8

Add commands to the map. Users can click on command icons in Graphic Maps Viewer to invoke the command.

a. Click the Commands tab to view the commands available for the selected device.

b. Drag a command to the map. The Device Command window opens.

c. Click OK to accept the selected command and add it to the map.

Step 9

(Optional) To select a different device and command combination using the Device Command window, do the following:

a. Select the device(s)

–Single: click Choose and select a single device or door from the Hardware view, as shown in the example to the right.

–Multiple (by filter) of type: select a device type from the drop-down menu. To refine the selection, click Filter and select the filter options.

–Multiple (by group) of type: select a device group from the drop-down menu.

b. Select a command for the device(s): click Choose and select a command from the list.

c. (Optional) Click Choose to select the Parameters for the command, if required.

Note If Choose is shown in black, you must click the button to continue. Select a parameter from the list. If the message "Are you sure you want to continue?" appears, click OK. This message indicates that a parameter is not required.

d. Click OK.

Step 10

(Optional) Add automated rules to the map.

a. Click the Devices tab and select the Automation Driver.

b. Click the Command stab and drag the icon for Invoke Automation Rule to the map. The Device Command window appears.

Note In the Device Command window, the selected device is Automation Driver, and the selected command is Invoke Automation Rule.

a. Zoom and position the map to focus on a specific area or set of devices.

b. Click View in the top menu bar.

c. Use your mouse to click and drag a border within the map.

d. Release the mouse button to select the area. The The Map View window appears.

e. Adjust the View properties, if necessary. Click Make default view to make the view the default when the map is opened in the Graphic Map Viewer.

f. Click OK to save the changes and create the new view.

g. To change the name and other settings, right-click the view name and select Edit View Properties.

Step 12

(Optional) Edit the icon properties.

Right-click a map icon and select Edit Icon Properties.

To change the icon image, click Choose in the Image section of the Properties window.

Step 13

Click Save. Changes are visible in the Graphic Maps Viewer only after they are saved.

Archiving Historical Events

Historical events are old events or alarms that you wish to remove from the main database. Archiving historical events are removed from the live Events & Alarms listings. This can improve system performance and simplify system monitoring since only the latest, most relevant, events and alarms are displayed.

There are three steps to archiving historical events:

1. Copy historical events: copies old events to a separate Cisco PAM database table. The events are still visible in Cisco PAM Events & Alarms. They are also included in system backups, and you can run reports on the events.

2. Prune historical events: deletes copied events from the main database table. The historical events are still in the Cisco PAM database, but are not visible in Events & Alarms. The historical events are still included in system backups, and you can run reports on the events.

3. Archive historical events: creates a compressed, password-protected file of the historical events, and deletes the events from the Cisco PAM database. This can significantly reduce the size of the Cisco PAM database and backup file.

The archive file can be copied to another location, and restored to the Cisco PAM database if necessary. The file can also be used by other applications to view old events or run reports. In addition, the historical event records are self-contained: referenced objects, such as a person's name and card number, are retained even if the original record is deleted. Reports on historical events can also span a much longer time range than is normally possible for live events.

To copy, prune, and archive historical events, enable the Historical Events driver. You can use the driver commands to copy and prune old events, or create an automated task to perform these actions on a regular schedule.

Verify that event pruning was successful, and clear the event queue, if necessary.

Events or alarms that have a dependant action (such as an automated rule), cannot be pruned. For example, if the related device (such as a Gateway) is disabled or deleted, then the event will not clear and pruning will fail. To clear these events and allow pruning to continue, invoke the Clean up queues command, as described in the following example:

a. Select Events from the Events & Alarms menu, under the Monitoring sub-menu.

•In the example to the right, the second event from the bottom reads "Successfully pruned 0 events". This means that the events could not be prunned since one or more events have a dependant action (such as an automated rule).

b. To clear any dependencies for the events, right-click the Historical Events Driver and select the Clean up queues command.

c. Verify that the events were pruned. In the example to the right, the event outlined in green reads "Successfully pruned 2554 events". This indicates that the historical events were successfully pruned.

Step 9

(Optional) Archive the historical events database to remove old events from the main database.

Creating an Automated Rule to Archive Historical Events

To automatically move old events from the live events database to the historical events database, create automated rules to copy and prune old events. Create automated rules to clean up the event queues, start and stop copying, and then start and stop pruning, in that order.

Choose task times that minimize system impact but considers the latency between when an event occurs and when it is available in the historical events table.

•If performance is critical and latency is not, configure copying and pruning during off-peak hours.

•If low latency is important, and the copying and pruning does not impact system performance, configure the actions to occur around the clock.

c. Enter the number of days that events remain in the live events database before they are moved to the historical events database.

–Click the Driver tab.

–In Live events window (days), enter the number of days. For example, enter 30 to keep events in the live view for 30 days. After midnight on day 30, the events are moved to the historical events. The number is rounded to midnight of the last day.